[Mimedefang] Blocking spam senders using IPTables?

Aleksandar Milivojevic amilivojevic at pbl.ca
Thu Nov 4 09:35:16 EST 2004


Paul Murphy wrote:
> You are correct - Sendmail doesn't log them by default. If you get a null
> connection, that gets logged.  If the sender is refused by check_rcpt, that gets
> logged.  But invalid commands, including those generated after a sender ignores
> a 5xx error and carries on through the DATA phase, aren't logged at all.

Hm, wouldn't better idea be detecting this in Sendmail.  For example, 
after sendmail sends 5xx response to DATA, if next command looks like 
mail header, or if next 5 or 6 commands are invalid, start inserting 
sleep(60) after every call to read(), and call read() with really small 
buffer (say only 1k, or even smaller).  Only minimum bandwith will be 
wasted, spammer would be significantly slowed down, and you are still 
perfectly RFC compliant (there's nothing in RFC's saying that you are 
not allowed to slow things down).  It shouldn't be hard to patch 
Sendmail in this way.  Basically, this would be generalization of 
already existing Sendmail feature (slowing things down if number of bad 
RCPT's is detected).  If tactic becomes widespread, spammers might start 
actually looking for 5xx codes and acting accordingly.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7


More information about the MIMEDefang mailing list